From 8dcf367e5223ae26b57c9bbfaec6e70ac14bb820 Mon Sep 17 00:00:00 2001
From: Antonis Geralis <43617260+planetis-m@users.noreply.github.com>
Date: Mon, 5 Sep 2022 09:26:02 +0300
Subject: Prevent use-after-free bugs in object variants. Fixes bug #20305
 (#20300) [backport]

prevent use-after-free bugs in cased objects

the bug happens specifically when deleting
an item in a seq. The item taking it's place
might not have the same case fields. Then =sink(x[i], move x[xl])
might leave the deleted fields still in memory!
If the new item switches branches again, you get a use-after-free bug.
---
 compiler/liftdestructors.nim | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'compiler')

diff --git a/compiler/liftdestructors.nim b/compiler/liftdestructors.nim
index 68c93a179..5174a908f 100644
--- a/compiler/liftdestructors.nim
+++ b/compiler/liftdestructors.nim
@@ -165,9 +165,12 @@ proc fillBodyObj(c: var TLiftCtx; n, body, x, y: PNode; enforceDefaultOp: bool)
       # the value needs to be destroyed before we assign the selector
       # or the value is lost
       let prevKind = c.kind
+      let prevAddMemReset = c.addMemReset
       c.kind = attachedDestructor
+      c.addMemReset = true
       fillBodyObj(c, n, body, x, y, enforceDefaultOp = false)
       c.kind = prevKind
+      c.addMemReset = prevAddMemReset
       localEnforceDefaultOp = true
 
     if c.kind != attachedDestructor:
-- 
cgit 1.4.1-2-gfad0